The Investigatory Powers (IP) bill has been given approval by David Anderson in a report. Britain’s spies should be allowed to continue harvesting large amounts of data from emails, the government’s reviewer of terror legislation said. IT security experts from AlienVault, MIRACL and Lieberman Software commented below.
Javvad Malik, Security Advocate at AlienVault:
“The IP Bill discussion is often framed as an ‘us’ vs ‘them’ argument. But as we discuss in our report “Privacy, the Feds, and Governments Surveillance” it appears that many agree on the intent (62% of security professionals supported governments being able to legally intercept communications relating to suspected terrorism and 41% would support the interception of those related to criminal activity).
The areas of contention stem around the ‘how’ with many citing proposed bills underestimate the impact certain aspects could have to technology deployments, leaving the general public more exposed than before.
The second aspect is the lack of confidence that governments have the ability to adhere to the accountability controls put in place to ensure the powers are only used appropriately.
Impact to the business is an interesting area worth exploring. Encryption being the largest source of controversy, particularly where the service provider doesn’t have the key.
The scope of the bill is vague and can be interpreted to cover any business that operates a public or private network. ISP’s / telecoms providers will face the brunt of the bill and will have to field warrants, install new equipment, update technical capabilities, and provide search capabilities.
Similarly, cloud service providers will fall under the same umbrella. This includes social media platforms like Twitter or Facebook. In fact, any online business – even ones that aren’t explicitly telecoms providers can be treated as such and require to comply with data intercept requests. For example, online commerce websites which also provide a facility for customers to communicate with each other e.g. eBay, cab be treated as a telecoms provider.
As the bill comes into force and we start seeing implementations of it, or challenges are made in court, we’ll begin to see and understand the full impact of it.”
Brian Spector, CEO at MIRACL:
“This kind of bulk data collection will weaken the very products and standards that we all use to protect ourselves. The same vulnerabilities used by intelligence agencies to spy on global citizens can also be used by criminals to steal your passwords. We either enable spying – by either governments or hackers – or we defend against it.
Given that most people now place all their personal data online, the IP Bill would grant enormous surveillance capabilities to the government. If the legislation proceeds, it could undermine trust in the Internet as a whole, from service providers, to device manufacturers, to the apps we use as part of our everyday lives. But it also has serious implications for tech companies who, under the proposals, would be legally bound to help UK police and security services access an individual’s device. In addition, any software made by a British company could soon be perceived to be facilitating government spying on its customer’s data. This could make it much harder for British technology and information security companies to compete globally.”
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“For a US company exporting encryption and other security related technologies, we already have a complex job in many cases when selling to the UK and EU. The new powers related to encryption in the Equipment Interference bits of the Investigatory Powers Bill will make that potentially more complex. At some point, there always needs to be an examination of the complexity versus the reward when it comes to regulatory burdens. If we need to significantly adjust our design and componentry in our platform because of changes in just one place, then the natural question is will we make the required revenue to justify that? Another interesting aspect of this will be what the IP Bill’s impact may be on EU regulations, which are already quite complex. For the most part, meeting the EU burden is more of an on paper exercise, but if changes made for the UK regulations affect our ability to meet EU regulations then that pulls in a whole new dimension of issues.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.